Saturday, November 08, 2008
Sunday, October 05, 2008
Friday, August 15, 2008
Sunday, July 20, 2008
Tuesday, June 24, 2008
Wednesday, June 11, 2008
[1st July 2008] Syscan - Singapore
Secure Application Coding Training
Application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to IBM labs, there is a possibility of at least one security issue contained in every 1,500 lines of code. To avoid these sort of security issues one needs to follow sound secure coding and design principals. It is also imperative to know code review methodologies and strategies to assess the quality of code before deploying to the production. The course is designed by the author of "Web Hacking: Attacks and Defense", “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum.
Secure Coding course for Applications is hands-on class. The class features real life cases, hands one exercises, code scanning tools and defense plans. Participants would be methodically taken down to the source code level and exposed to the flaws in design and coding practices. The class would then focus on what are the proper ways of writing secure code and analyze the code base. This class addresses popular languages and platforms like VB/C# (.NET), Java(J2EE), PHP, ASP etc.
Friday, May 30, 2008
This paper describes technique to deal with blind SQL injection spot with ASP/ASP.NET applications running with access to XP_CMDSHELL. It is possible to perform pen test against this scenario though not having any kind of reverse access or display of error message. It can be used in completely blind environment and successful execution can grant remote command execution on the target application with admin privileges.
Download - PDF
Read here in HTML
Thursday, March 20, 2008
Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.Presentation Title: Securing Next Generation Applications – Scan, Detect and Mitigate
McKinsey’s recent global survey suggested that 80% of companies are investing in Web 2.0 technologies. Web 2.0 technologies are no longer restricted to social networking site but forming backend to enterprise level applications. This evolution is giving rise to next generation application hacking and attack vectors. It is imperative to understand these new attacks and scanning methods to detect vulnerabilities. This presentation will be full of real life cases, live demonstrations, new tools and techniques along in-depth coverage on the latest concepts and methodologies.
Session Code: SOA-202
Session Title: Web 2.0 Security Chess: Combat Strategies and Defense Tactics
Scheduled Date/Time: Wednesday, April 09 09:10 AM
RED ROOM 310
Session Abstract: Ajax, web services and rich Internet (Flash) are redefining moves on the security chessboard. Attack strategies are emerging like cross-site scripting with JSON or cross-site request forgery with XML. This session will cover Web 2.0 attacks, tools for assessment, and approaches for code analysis with demonstrations. Professionals can apply knowledge in real life to a secure Web 2.0 application layer.
Thursday, March 13, 2008
[.NET iHTTPModule - Interesting stuff]
Sunday, March 09, 2008
Monday, March 03, 2008
Saturday, February 16, 2008
Scanning Applications 2.0 - Next generation scan, attacks and tools
Ajax, Web Services and Rich Internet (Flash) are redefining application security scanning challenges and strategies. We are witnessing some emerging attack vectors like Cross Site Scripting with JSON, Cross Site Request Forgery with XML, WSDL scanning, XPATH injection with XML streams etc. This presentation will cover Web 2.0 attacks, new scanning tools for assessment and approaches for Web 2.0 code analysis with demonstrations. Professionals can apply knowledge in real life to secure Web 2.0 application layer.